Welcome  to  SI539 


• About 

• Contact 

• Pictures 

• Membership 

• Chat 

• Application 


Please  Log  In 


i—  Required  Information 


Enter  your  E-Mail: 


Enter  your  Password: 


University  of  Michigan  weblogin 


If  you  have  lost  your  password, 
membership@si539.com  to  hav 


AUTHENTICATION  REQUIRED:: 

You  are  connecting  to  a U-M  website  that  requires 
authentication.  Please  enter  your  Login  ID  (uniqname  or 
Friend  ID)  and  password  to  continue. 

Need  a Login  ID? 

If  you  don't  have  a Login  ID,  you  can  create  one  now. 


Login  ID 
Password 
► MToken 

r Log  ln~) 

Forgot  your  password? 

Login  Help 


By  using  this  service  you  agree  to  adhere  to  U-M  computing  policies  and  guidelines 


Some  Web  sites  always  seem  to  want  to  know  who  you  are! 


Home  Find  & Follow  Public  Timeline  Settings  Help  Sign  out 


What  are  you  doing? 


Hi,  your  profile 

G.  drchuck 


update 


flickr™ 

Home  You  Organize  » Contacts  » Groups  *■  Explore 


Recent  Replies  Archive 


dr-chuck  £3  (1  new)  f- 


dkeats  Spending  the  morning  with  the  eLearning  team 
innovation,  and  participation  in  a community  of  practic 
Energizing.  3 minutes  ago  from  web  -ft 


Ni  hao  dr-chuck! 


drchuck  Working  on  lecture  slides  - talking  about  cool 
sessions.  5 minutes  ago  from  web  -ft  ® 

MattH  Ordered  Urban  Fortunes  from  Amazon  because 
saying  it  said  things  I wasn't  at  all  agreeing  with.  Right, 
ago  from  twitterrific 

microcline  Back  from  walking  the  dogs.  Cleaned  them 
can,  but  they  don't  get  to  share  the  futon  tonight.  31  m 
from  web  V? 


• You  have  1 new  message. 

• Find  vour  friends 

Flickr  News 

Flickr  is  more  fun  with  friends,  but  it  is  a big  busy 
place,  and  sometimes  it  can  be  hard  to  find  the  people  you 
know.  The  new  Find  Your...  read  more  news 


» Flickr  Blog  Great  photos  & latest  news,  daily! 


» Upload  Photos  (Or.  look  at  our  uploading  tools...! 


» Your  Photos  (Recent  activity  / Comments  you've  made! 


» Photos  from  your  Contacts 


ADVERTISEMENT 


Other  Web  sites  always  seem  to  know  who  you  are! 


You® 


Browser 


Click  Draw 


M 


*»== 


.bji 
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You  watch  the  YouTube  video 
for  an  30  seconds 


Whole 

Page 


Click  Draw 


Whole 

Page 


GET 


GET 


Server 


How  you  see  YouTube... 


Multi-User 


• When  a server  is  interacting  with  many  different  browsers  at  the  same 
time,  the  server  needs  to  know  *which*  browser  a particular  request 
came  from 

• Request  / Response  initially  was  stateless  - all  browsers  looked 
identical  - this  was  really  really  bad  and  did  not  last  very  long  at  all. 


Web  Cookies  to  the  Rescue 


Technically ; cookies  are  arbitrary  pieces  of  data  chosen  by  the  Web 
server  and  sent  to  the  browser.The  browser  returns  them  unchanged  to 
the  server ; introducing  a state  (memory  of  previous  events)  into 
otherwise  stateless  HTTP  transactions.Without  cookies , each  retrieval 
of  a Web  page  or  component  of  a Web  page  is  an  isolated  event , 
mostly  unrelated  to  all  other  views  of  the  pages  of  the  same  site. 


http://en.wikipedia.org/wiki/HTTP_cookie 


1.  browser  requests  a Web  page 


Web 

browser 


2.  server  sends  page+cookie 


cookie 


1 llzlo  'i , tall 


[[•]] 

MediaWiki 


rry  preferences  % watcflist  rv  co'-Wbjtlcris  leg  o.t 


manual  dlscjsslcn  cdh  ilstsiy 

ManuakParameters  to 
index. php 


nauiqatcn  (ths  ) 

• Man  page 

• Corrrnjrity  oo  taJ 
« Recent charges 

■ Hale 

■ Manual 

• FAC 

• T Crum 

• SLpport  deal: 


Ths  '.u  jy  a a partial  list  o ' tha  pa' an  «U-rs  to 
tn.in<  pnei,  no  mar  script  of  *he  MedaWki 
software.  Most  of  Ties?  rcjjrronts  are  jsualf/ 
cjMer  as  GF-  pa 'arrears  r "he  URL,  cut  can 
also  by  pusssc  ay  POST  data.  POST  it 
aetLcJlj-  tuquiiad  r soma  casas,  such  as  tha 
purge  action  re-  oronr  ~iols  users. 

Note:  The  information  on  this  page  is  not 
complete 


3.  browser  requests  another  page 
cookie 


http://en.wikipedia.org/wiki/HTTP_cookie 


server 


Cookies  In  the  Browser 


• Cookies  are  marked  as  to  the  web  addresses  they  come  from  - the 
browser  only  sends  back  cookies  that  were  originally  set  by  the  same 
web  server 

• Cookies  have  an  expiration  date  - some  last  for  years  - others  are 
short-term  and  go  away  as  soon  as  the  browser  is  closed 
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Browser 


Server 


Redraw  Update  Update 


Remember  that  cookies  are  only  sent  back  to  the  host  that  set  the  cookie. 


Getting  Data  From  The  Server 


• Each  time  the  user  clicks  on  an  anchor  tag  with  an  href=  value  to 
switch  to  a new  page,  the  browser  makes  a connection  to  the  web 
server  and  issues  a “GET”  request  - to  GET  the  content  of  the  page  at 
the  specified  URL 

• The  server  returns  the  HTML  document  to  the  Browser  which 
formats  and  displays  the  document  to  the  user. 


HTTP  Request  / Response  Cycle 


Web  Server 


HTTP 

Request 


HTTP 

Response 


Hello  there  my  name  is  Chue 
Go  ahead  and  click  on  here. 


Browser 

Internet  Explorer, 
Fire  Fox,  Safari,  etc. 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP  Request  / Response  Cycle 


Web  Server 


GET  /index.html  HTTP/ 1. 1 
Accept:  www/source 
Accept:  text/html 
User-Agent:  Lynx/2.4 


i t 

Browser 


HTTP/ 1 . 1 200  OK 
Content-type:  text/html 
Set-Cookie:  name=value 

<head>  ..  </head> 
<body> 

<h  I >Welcome  .... 


HTTP 

Request 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP 

Response 


HTTP  Response  / Request  Cycle 


HTTP/ 1. 1 200  OK 
Content-type:  text/html 
Set-Cookie:  name=value 

<head>  ..  </head> 
<body> 

<h  I >Welcome  .... 

HTTP 

Response 


GET  /index.html  HTTP/ 1. 1 
Accept:  www/source 
Accept:  text/html 
Cookie:  name=value 
User-Agent:  Lynx/2.4 

Browser 

HTTP 

Request 


Web  Server 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


Sessions 


• In  Rails  as  soon  as  we  meet  a new  browser  - we  create  a session 

• Rails  sets  a session  cookie  to  be  stored  in  the  browser  which  indicates 
the  session  id  in  use 

• The  creation  and  destruction  of  sessions  is  generally  transparent  to 
Rails  applications 


Using  Cookies  Wisely 


• Usually  the  server  only  stores  a small  amount  of  information  in  the 
cookie 

• Permanent  - who  you  are  - account  name  last  access  time 

• Temporary  - session  identifier 


Session  Identifier 


• A large,  random  number  that  we  place  in  a browser  cookie  the  first 
time  we  encounter  a browser. 

• This  number  is  used  to  pick  from  the  many  sessions  that  the  server 
has  active  at  any  one  time. 

• Server  software  stores  data  in  the  session  which  it  wants  to  have  from 
one  request  to  another  from  the  same  browser. 

• Shopping  cart  or  login  information 


Session  10 


Session  46 


user=chuck 

bal=$IOOO 


user=jan 

bal=$500 


withdraw: 


bal=bal- 1 00 


Session  10 


Session  46 


user=chuck 

bal=$IOOO 


user=jan 

bal=$500 


withdraw: 


bal=bal- 1 00 


Servei 

Browser  A 
cool<=  1 0 


Browser  B 
cool<=46 


Browser  C 


Session  10 


Session  46 


user=chuck 

bal=$IOOO 


user=jan 

bal=$500 


bal=bal- 1 00 


Servei 

Browser  A 
cool<=  1 0 


Request 


Browser  B 
cool<=46 


Browser  C 


Response 


Session  10 


Session  46 


user=chuck 

bal=$IOOO 


user=jan 

bal=$400 


bal=bal- 1 00 


Browser  A 


cook=  1 0 


Browser  B 
cool<=46 


Browser  C 


cook=97 


Session  10 


Session  46 


Session  97 


user=chuck 

bal=$IOOO 


user=jan 

bal=$400 


rei 


Browser  A 
cool<=  1 0 


Session  10 

user=chuck 

bal=$IOOO 


Session  46 

user=jan 

bal=$400 


Session  97 
user=phil 


Response 


Session  10 

user=chuck 

bal=$IOOO 


Session  46 

user=jan 

bal=$400 


Session  97 
user=phil 


Session  Variable 


• In  our  view  and  controller  there  s a special  hash  map  called  “session” 
that  persists  across  multiple  HTTP  Request  / Response  Cycles 

• We  can  use  this  as  a place  to  store  long-lasting  information  such  as 
the  name  of  the  current  logged  in  user 

• It  is  like  flash  - but  it  lasts  across  request-response  cycles 


Log  messages 


• We  have  been  seeing  session  information  all  along  from  our  very  first 
Rails  program  in  the  logs 

• The  session  ID  changes  if  you  close  and  re-open  a browser  or  open 
two  browsers  (Safari  and  Firefox)  at  the  same  time 


Processing  Assn6Controller#index  (for  127.0.0.1  at  2007- 1 0-09  10:55:47)  [GET] 

Session  ID: fO  1 2e 1 7e4fe  I d4c240a0cb34c69b2ab0 
Parameters:  {"action"=>"index",  "controller"=>"assn6"} 

Rendering  assn6/index 

Completed  in  0.00195  (512  reqs/sec)  | Rendering:  0.00096  (49%)  | 200  OK  [http://localhost/Assn6/] 
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Using  the  Session  Hash 


• To  remove  an  entry,  simply  set  the  session  to  be  nil 

session[:lasalle]  = params[:account] 

if  session[:lasalle]  !=  nil 

end 

session[:lasallel  = nil 


Objects  in  Session 


• The  session  hash  can  store  any  object  - not  just  strings 

s = Story,  new 

session  [:currentstory]  = s 


• However  we  generally  do  not  want  to  fill  session  up  with  too  much 
“stuff”  - we  ust  put  in  things  like  logged-in  user  name,  current  course, 
and  things  that  allow  us  to  “look  up”  other  important  things. 


Sessions 


Sessions  allows  you  to  store  objects  in  between  requests.  This  is  useful  for  objects  that  are  not  yet  ready  to  be  persisted,  such 
as  a Signup  object  constructed  in  a multi-paged  process,  or  objects  that  don't  change  much  and  are  needed  all  the  time,  such  as 
a User  object  for  a system  that  requires  login.  The  session  should  not  be  used,  however,  as  a cache  for  objects  where  it’s  likely 
they  could  be  changed  unknowingly.  It’s  usually  too  much  work  to  keep  it  all  synchronized  — something  databases  already 
excel  at. 

You  can  place  objects  in  the  session  by  using  the  session  method,  which  accesses  a hash: 


session( : person J = Person . authenticate ( username,  password) 


And  retrieved  again  through  the  same  hash: 


Hello  #{session( : person ) } 


For  removing  objects  from  the  session,  you  can  either  assign  a single  key  to  nil,  like  sessioni spersonj  - nil,  or  you  can 
remove  the  entire  session  with  reset_session. 

By  default,  sessions  are  stored  on  the  file  system  in  rails  Rooi/tnip/sessions.  Any  object  can  be  placed  in  the  session  (as  long 
as  it  can  be  Marshalled).  But  remember  that  1000  active  sessions  each  storing  a 50kb  object  could  lead  to  a 50MB  store  on  the 
filesystem.  In  other  words,  think  carefully  about  size  and  caching  before  resorting  to  the  use  of  the  session  on  the  filesystem. 


http://api.rubyonrails.org/classes/ActionController/Base.html 


Login  / Logout 


• Having  a session  is  not  the  same  as  being  logged  in. 

• Generally  you  have  a session  the  instant  you  connect  to  a web  site 

• The  Session  ID  cookie  is  set  when  the  first  page  is  delivered 

• Login  puts  user  information  in  the  session  (stored  in  the  server) 

• Logout  removes  user  information  from  the  session 


In  Rails 


• We  will  pick  a key  to  be  where  we  store  our  logged  in  user  object  in 
the  session. 

• Login  sets  the  entry  and  logout  clears  the  entry 

• The  entry  starts  out  empty  when  a brand  new  session  is  created  when 
a browser  first  connects  - so  you  are  “not  logged  in’’  (*) 


Some  applications  like  Twitter  and  Flickr  automate  the  login  process  by  setting  a long-term 
cookie  in  the  browser  - if  this  long-term  cookie  is  present  - you  get  auto-logged  in. 


Welcome  to  SI539 


• About 

• Contact 

• Pictures 

• Membership 

• Chat 

• Application 


Please  Log  In 


i—  Required  Information 


Enter  your  E-Mail: 


Enter  your  Password: 


f Submit  'i 


If  you  have  lost  your  password,  please  send  an  E-Mail  to 
membership@si539.com  to  have  your  password  reset. 


I 


def  login 

session[:lasalle]  = nil 
if  not  request.post? 

return 

end 

if  params[:yourpw]  ==  nil  or  params[:yourmail]  ==  nil  or 
params[:yourpw]  ==  ""  or  params[:yourmail]  ==  "" 
flash[:notice]  = "Please  specify  both  E-Mail  and  password" 
return 
end 

memb  = Member.find_by_email(params[:yourmail]) 
logger.info  "Retrieved  member  $#(memb}" 
if  memb  ==  nil  or  params[:yourpw]  !=  'secret' 
flash[:notice]  = "Account  / Password  combination  not  found" 
return 
end 

session[:lasalle]  = memb 
logger.info  "User  logged  in:#{memb.email}" 
redirect_to  .’action  =>  'index' 
end 


Clear  user  information 
in  session. 


Check  for  bad  data 
from  the  form. 


Look  up  to  see  if  the 
id/password  is  right. 


Store  the  member 
object  in  the  session 
hash. 


def  login 

session[:lasalle]  = nil 
if  not  request.post? 

return 

end 

if  params[:yourpw]  ==  nil  or  params[:yourmail]  ==  nil  or 
params[:yourpw]  ==  ""  or  params[:yourmail]  ==  "" 
flash[:notice]  = "Please  specify  both  E-Mail  and  password" 
return 
end 

memb  = Member.find_by_email(params[:yourmail]) 
logger.info  "Retrieved  member  $#(memb}" 
if  memb  ==  nil  or  params[:yourpw]  !=  'secret' 
flash[:notice]  = "Account  / Password  combination  not  found" 
return 
end 

session[:lasalle]  = memb 
logger.info  "User  logged  in:#{memb.email}" 
redirect_to  .‘action  =>  'index' 
end 


Using  Session  Information 

<h2>Real-Time  Chat</h2> 

<P> 

<%  if  session [:lasalle]  !=  nil  %> 

<%  form_remote_tag  :url  =>  'chatcontent',  :update  =>  'chatdiv'  do  -%> 

<input  type="text"  size="60"  name="chatmsg"/> 

<%=  submit_tag  'Send'  %> 

<%  end  %> 
else  %-> 

You  must  log  in  to  participate  in  chat.  (<%=  link_to  "login",  :action  =>  'login'  %>) 
<%  end  %> 

</p> 


Logout  is  easy. 


def  logout 

session[:lasalle]  = nil 
redirect_to  :action  =>  'index' 
end 


Remove  the  user  data 
from  the  session  hash. 
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You  watch  the  YouTube  video 
for  an  30  seconds 


Whole 

Page 


Click  Draw 


Whole 

Page 


GET 


GET 


Server 


How  you  see  YouTube... 


Session  42 


Summary 


• Cookies  take  the  stateless  web  and  allow  servers  to  store  small 
“breadcrumbs”  in  each  browser. 

• Session  IDs  are  large  random  numbers  stored  in  a cookie  and  used  to 
maintain  a session  on  the  server  for  each  of  the  browsers  connecting 
to  the  server 

• Rails  applications  can  use  the  session []  hash  map  to  stre  data  across 
multiple  request/response  cycles. 


